Could Facebook Become the New Web of Trust? Maybe!

Adding Your Public Key to Your Facebook Profile

To display your public key on your profile page, you need to update your contact information. From Facebook’s top menu bar, click on your face to get to your profile. Then click on Update Info.

Now to add my PGP Public Key to my profile page

Moving on. Click on Contact and Basic Info for the next step.

Click on Contact and Basic Info

Now click + Add a public key.

Now you can add your public key

Paste your public key into the field provided, if it isn’t already there. Choose who you want to be able to see your key, and click Save Changes.

If it isn’t already there, you can paste it into place

That’s it! After this, anybody you allow will be able to view and download your OpenPGP public key for use in emailing you.

Now for the Gotcha

Here’s a problem that may crop up if you turn on encrypted notifications from Facebook. Assuming you’re using Keychain to store your passwords, Safari will ask if you want to update your password. You probably should, but be aware of what that Keychain Access entry will look like afterwards. Here’s an example.

This is ugly window management

I’ve blurred out some data there, but it’s my public key. You can see there is no way to access my password to view it or change it.

To get around the problem, I had to highlight the entire contents of my public key, cut it, and then attempt to close the window. Keychain Access asked if I wanted to save my changes, and it was only when I said no that I was able to access the password field in the window.

This isn’t much better, but at least I can see the password field now

Your experience might be similar, so if you can’t see the password field, follow my advice from above and you should be okay.

Facebook Could Become the New Web of Trust

Almost everybody uses Facebook these days. It’s definitely conceivable that the social media network could become the new Web of Trust for PGP, if people start using this feature more. Of course, nobody I talked to about it even knew it was there, so that might not bode well for its prospects. However, if enough of us get the word out, it certainly could become a handy repository of public keys.

Hi Jeff. You might be interested in what we did with https://www.securemyemail.com where we did, indeed, use Facebook, Twitter, and LinkedIn with openPGP as an “update” to the legacy PGP Web of Trust. Instead of manually verifying the public key on Facebook (still possible, though) we automated things by asking (it is optional) SecureMyEmail users to authenticate to their preferred social network(s) to verify their identity. Once done, when these users invite contacts to set up encrypted email with them, the invitee can see if the inviter has verified their identity with a social network and click on the social… Read more »